Blocking tens of thousands of IP's

Francis Daly francis at
Thu Nov 3 19:00:35 UTC 2016

On Tue, Nov 01, 2016 at 03:15:45PM +0000, Cox, Eric S wrote:

Hi there,

> Is anyone aware of a difference performance wise between using
> return 403;
> vs
> deny all;
> When mapping against a list of tens of thousands of ip?

I think the answer is "no".

I would expect that "return 403" would be quicker, since the rewrite
phase happens before the access phase. But I also suspect that the
"checking the list of tens of thousands" that would have to happen first,
would swamp any difference.

I think that the general rule is that if you do not measure a difference,
there is not an important difference to you.

And yes, use "geo" rather than "map" or any other list.

(Or: build one of each in your lab and measure.)


Francis Daly        francis at

More information about the nginx mailing list